[PVE-User] Advices - Proxmox behind L3 or L2 network

[Leslie-Alexandre DENIS]

Thanks Alexandre with your informations, very useful. I intend to do 
something like that but unfortunately I didn't find any good 
router/firewall appliance in my budget to do that on the administration 
side.

Do you know if it's possible to force Proxmox Web built-in to listen on 
localhost only ? Thus I could build an Apache2 with mod_security as a 
reverse proxy for WAN access.

Thanks,
Le 07/11/2013 22:57, Alexandre Kouznetsov a écrit :
> Hello.
>
> El 07/11/13 15:09, Leslie-Alexandre DENIS escribió:
>> I'm currently designing a Proxmox based virtualization solution and I'm
>> wondering how guys do you manage your edge connection.
>> Do you prefer to route and setup your own L3 network before exposing the
>> server ? Or just let the server with a WAN IP ?
>> What is your ideas regarding network security (BCP, RP Filtering...) ?
>
> My Proxmox nodes are multihomed.
>
> One interface goes to a "public" L2 manageable switch. The VMs hosted 
> on Proxmox usually have a virtual network interface with some VLAN 
> tag. The Internet access of those VLANs is handeled by other means, 
> outside of the Proxmox cluster. The addresses used in those VLANs are 
> private and public.
>
> Other interface is used for administration and storage (mostly backup 
> and migration, the VMs use local sotrage). It also goes to a 
> manageable L2 switch, but the VLAN capability is not used, ethernet 
> connections are untagged. This network uses strictly private 
> addressing and there is a router/firewall between it and Internet. 
> It's completely independent form the router used by public VLAN's. I 
> access the nodes for administration via VPN (my router provides that) 
> or a reverse proxy (Nginx on the router). Special trick (DNAT+SNAT) 
> was required on the router in order to be able to access the VNC 
> console from the web interface. The preferred method of connection is 
> VPN, reverse proxy is auxiliary.
>
> Greetings.
>